What does a file go through to complete a secure, efficient journey?
Ever wonder what a day in the life of a file looks like, and what kind of things you can expect to happen to it over those hours? Well, I have, and after setting off to find the details — I wonder no longer. Now that I have some hour-by-hour expertise, I feel equipped to explain several different aspects of file creation, storage, security and file handling I hope you'll find informative and valuable. So, let's jump in.
On any given day a lot can happen to a file. Obviously, files are created when valuable information is stored. You need to protect that file, and so layers of security get applied, often with mixed results. Files are subject to threats, and the security you've applied (or haven't applied) is tried and tested as files are transferred around. With all kinds of files, there's movement between systems, people and all kinds of different endpoints.
Last of all, there is the retirement — the aftermath of the life cycle of a file — where you ask, “Was that supposed to happen?” Did you see completely what happened during the life of the file?
All these events constitute the life cycle.
Appraising the Value of a File
What makes a file valuable? It comes down to the context, the actors and the quality of a file — and not just one file — but all files. There's an estimate from a Stanford University study that suggests over 2.3 exabytes of healthcare data will be produced next year. It's rumored that even now the New York Stock Exchange produces one terabyte of data every trading day. Not everything is as important or valuable as one's healthcare data or the trades that help to grow your retirement accounts — but your company’s data should be considered as precious as any by its employees.
So, let's think about this. What makes a file valuable? This is an exercise worth walking through with your data in your own organization because it will be especially helpful in highlighting whether you have important files that need some extra care that perhaps you're neglecting. Some of the following factors will help in assessing the value of your company’s files.
Understanding the Context of a File
First, let’s look at the context. What does that include? You need to look at the content category, whether it's healthcare data, finance data, perhaps purchase transactions, personal data like Social Security numbers or other personally identifiable information (PII) that can put your file in a sensitive category. You want to consider whether the file has data that should be public or private and whether it is in that state right now. You want to consider the source of a file, whether you produced it or there is some other source and you are just holding onto that data. You also want to consider the context of legal protections around that data.
You're probably familiar with compliance regulations that have severe penalties if they're not adhered to properly, like HIPAA, PCI DSS, GDPR, and of course many others. So, the context is incredibly important.
Next, we look at actors. Actors can be producers of data. They may be consumers of data, or simply custodians of data. Knowing the role you and your organization play in a given file or set of files is important for understanding the value of that file to your company.
Quality of a File
And of course, there is quality. Quality comprises things like security, whether you know the chain of custody of that file throughout its life cycle or whether you can maintain the integrity of the data in that file. All these inputs together tell you what you need in order to manage files for their entire life-cycle.
Value and risk are strongly correlated when it comes to a file. The higher the value of a file, the more risk you carry in ensuring that it is properly stored, protected, transferred and monitored. The better you manage the risk around the file, the better you can preserve and realize the file's value for yourself and your organization.
Protecting a File
There are several ways you can add protection to a file: location, awareness, authorization and encryption. Not all of these are applied at once. In fact, each of these categories of file protection will be applied only to the extent that someone has thought of applying them to a given set of files. You also need to consider your organization's ability to implement those measures to protect the files. So, let's look at each of these in turn.
Let’s start off with location, looking at a file or group of files. Where did it come from? Where is it stored now? Is this the only copy? Where is this file supposed to be when you’re done using it? If you're dealing with a very sensitive file, you really should be asking, did you or your coworkers or another one of your stakeholders just post that file on the internet?
It is imperative to know where your files are, how many copies there are and whether they should be where they are. Ultimately, you just need to know where the file is located and whether it is where it should be.
Awareness involves knowing where you put a file. Do the right people know you created this file? Have you shared that information with others? Do they know where to find the file? And maybe one of the most important questions is, does your IT team know you made this file — and that it's important to you?
Authorization issues include: Do your files have the right share permissions, OS permissions or policies? When it comes to policies, have you put rules into place that will help you respond appropriately when an unauthenticated actor tries to access or use a file? Do those policies prevent unauthenticated users from viewing or gaining access to the file or affecting its state? Have you put in place policies that will help control the flow of files between systems and endpoints?
Encryption is critical to file security. You should ask, “Is my file encrypted in transit?” meaning is it protected when it's being sent from one place to another. You should also ask, “Is it encrypted at rest?” when it's just sitting on the storage where you intend it to be. Is there a way to make sure that all valuable files have the same high level of encryption without any gaps? If someone cracks the key to your encryption, what then?
These are important questions that you can apply to your own individual files and groups of files to understand whether you have put the proper value on your files and whether you’re taking on too much risk by not fully protecting those files.
Threats to Files
Of course, there are threats throughout any given time period. There are both internal and external threats, and so you need to know who could possibly be coming for you or for your files.
Internally it could be compromised users, meaning people that have authenticated access to your files but also have malicious intent. It could be contractors or third parties that are getting access to your files that you don't intend. Internally you may have accidental misuse or disclosure of a file. You might have partners or joint ventures that have lax file security, and so the security you applied to your files isn't maintained when a file leaves your organization. It could be service providers and system or application vendors that have access to your files that you didn’t intend to.
Externally, there can be phishing, spear-phishing and whaling attacks. There can be malware and ransomware. There could be a distributed denial of service attacks to prevent access to your files. There can be advanced persistent threats, botnet attacks, malicious macros and scripts.
Inside the Life of a File
For all these threats, quantifying these risks can be calculated by the impact on your business, fines you might have to pay for a breach of compliance and liability for losing control of your files. So, let's look at what might happen on any given day for a file.
New files are created. They're stored somewhere. Sometimes in multiple locations. Those files may require compliance with regulatory standards. Those files get shared with other parties. It could be backed up to a separate location. They may reach one or more mobile endpoints, which is happening all the time in most organizations. Your files may undergo audits for data security and compliance. The state of your file's security could be reviewed with executives and other stakeholders. IT governance measures the effectiveness of this whole process. Threats can be present at almost any point in this process and understanding those risks and reducing the risk to the fullest extent possible is something that every organization should be striving to do.
So, how to win the day in the life of our file. Well, some of the most frequently overlooked aspects of proper file management include the following:
Workflow and Automation
First, establish a centrally managed workflow for secure file sharing. In a lot of organizations, there are individuals in IT and outside of your IT team who may be trying to securely transfer files and are cobbling together different tools to make that happen. Maybe they're downloading a tool, like a free FTP tool over the internet. Lacking centrally managed workflow opens all kinds of gaps in the security and puts undue risk on your files.
Don’t Forget Encryption
Another overlooked aspect: ensuring data is encrypted both at rest and in transit. That means you are securing your file with strong industry-standard encryption protocols that apply to the data whether it's being sent or not. Most tools you'll find out there that are easy to use and lack central management will at best provide some encryption in transit, but not encrypt data at rest. So that is something very important to keep in mind.
Another frequently overlooked aspect is capturing an evergreen audit trail to measure your security effectiveness. This way your organization can say with certainty, “I know where my files are, I know where they've been and who tried to access them, whether it was an authenticated authorized user or not.” This is something that only a proper file management practice will give you.
Lastly, providing a unified approach to Secure File Transfers that meets strong compliance standards is key. Here we're talking about meeting the requirements of HIPAA, GDPR, PCI DSS and so on. There are very specific requirements in each of these compliance standards, and there are heavy penalties for failing to meet them. This is often overlooked when putting together a Secure File Transfer workflow, and it's something that we need to address.
The Managed File Transfer Solution
At the end of the day, all these best practices can be met with a Managed File Transfer (MFT) solution. Progress MOVEit is our secure and compliant MFT solution. It's used by thousands of organizations worldwide for the secure transfer of sensitive, mission-critical data. It enables you to transfer critical data between users, different locations and even partners outside your organization. Perhaps most importantly, you can automate workflows for Secure File Transfer and then reduce or even eliminate human error that opens your files up to unnecessary risk in the process
Let's have a look at the different components that make up the Progress MOVEit platform. Basically, it's a full set of Secure File Transfer software tools. It starts with MOVEit Transfer, which is the Secure File Transfer Server. It runs on Microsoft Windows, is very easy to set up and intuitive to use.
I mentioned automation previously. MOVEit Automation enables the automated and easy to configure the transfer of files even for very complex workflows. We offer MOVEit Gateway, which is a DMZ-resident reverse proxy for an added layer of security. Then there’s MOVEit Cloud, which is MOVEit Transfer hosted in the Microsoft Azure cloud by Progress for you and offered up as a Managed File Transfer as a Service.
MOVEit has been around for a long time, and it's a leader in the Managed File Transfer industry. MOVEit placed first in this summer's G2 reports for Managed File Transfer, and we've been recognized as a leader in multiple categories including best usability, easiest to use and best-estimated ROI.